Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

Are you an expert?    Interested in presenting at F5 AppWorld 2024?    Submit a proposal by Nov 29th!

iRule proxypass with profilessl

TTOM
Nimbostratus
Nimbostratus

‎22-Nov-2021 01:53

hello,

we are using proxypass irule to change pool when uri parameter change , so when user is hitting a.b.c.com/start it going to defined pool in datagroup and

thats working fine. Now we deploy certificates on servers side to secure traffic between F5 and physcial servers, and unfortunately it doesnt work.

We set on VIP SSL Profile (Server) as profilessl , we defined correctly in ProxyPassSSLProfiles datagroup : POOL -> profilessl , and during accessing a.b.c.com/test it response with : server doesnt send any data. It looks like loop , it finding rule but cannot proceed because we not receiving data.

When we access server directly( avoiding VIP) it respond without issue.

Below debugging from iRule.

0691T00000F7K1cQAF.png

Labels:
0 Kudos
11 REPLIES 11

boneyard
MVP
MVP

‎27-Nov-2021 04:33

you see a loop, did you check HTTPS is used now? might it hit a HTTP to HTTPS redirect on the backend perhaps?

0 Kudos

TTOM
Nimbostratus
Nimbostratus

‎29-Nov-2021 02:06

thank you for interesting of this topic. When I sniff traffic between F5 and physical server it looks like it want use SSL but strange things are happening, because it try negotiate TLS handshake and afterwards server is sending FIN. (we are using port 4004 for this communication ). Worth to mention , when I make this without proxypass its working ... 0691T00000F7ViwQAF.png

0 Kudos

CA_Valli
MVP
MVP
In response to TTOM

‎29-Nov-2021 07:36

"without proxypass its working" - so, without the iRule?

 

is your screenshot related to SSL error that you see when iRule is configured? Does it work as expected (ssl too) when you remove iRule? I would argue that in this case, default pool will always be selected (does default pool support SSL?)

 

What's the output of this command? (replace IP with a member of POOL_SSL)

 

(echo -e "GET /test/ HTTP/1.1\r\nHost: a.b.c.com\r\nConnection: Close\r\n\r\n";sleep 1) | openssl s_client -connect 10.xxx.yyy.zzz:4004

 

If your iRule balances between one pool that does not support SSL, and one that does support it, and you applied serverssl profile on Virtual Server, you might want to disable SSL when non-ssl pool is selected:

 

when SERVER_CONNECTED {

 if {[LB::server port] != 4004 } { # use "AND" statement for additional ports

  SSL::disable

 } 

}

 

 

0 Kudos

TTOM
Nimbostratus
Nimbostratus
In response to CA_Valli

‎01-Dec-2021 05:57

hello,

yes, when I remove iRule-ProxyPass and choose as POOL server with ssl - it is working.

You are right common/default pool for this VIP doesnt have SSL, output of command on screenshot .

I had to make own lab and Its strange, I suppose issue with irule proxypass, even when I made two POOLs and each host have 443 enabled I got bad request

It looks like server is getting requests on 80, But in LTM logs we can see I have matched serverssl profile to pool in datagroup of proxypass, also it is set on VIP (server ssl profile)

0 Kudos

boneyard
MVP
MVP
In response to CA_Valli

‎04-Dec-2021 05:53

your images don't work unfortunately.

0 Kudos

TTOM
Nimbostratus
Nimbostratus

‎07-Dec-2021 03:40

is it now visible ?

0691T00000F7ob1QAB.jpg0691T00000F7oarQAB.jpg

0 Kudos

boneyard
MVP
MVP
In response to TTOM

‎25-Jan-2022 10:50

yes this works, result is weird indeed.

if you capture do you then see a port 80 request?

0 Kudos

TTOM
Nimbostratus
Nimbostratus
In response to boneyard

‎04-Mar-2022 05:19

hello @boneyard, no, there is SSL communication too, now I testing on production but still not working... so now it looks :

1. Hitting VIP on 443 is ok

2. Hitting VIP with /uri which should forward traffic to POOL with SSL is NOK(port 4009), I see handshake to VIP and afterwards it correctly communicate to correct POOL on SSL port but response in browser : ERR_EMPTY_RESPONSE

any ideas ?

Preview file
41 KB
0 Kudos

boneyard
MVP
MVP
In response to TTOM

‎06-Mar-2022 11:15

the ERR_EMPTY_RESPONSE is probably the RST on TCP level.

so the server somehow doesn't like this, do you see anything in the logging there?

0 Kudos

TTOM
Nimbostratus
Nimbostratus
In response to boneyard

‎10-Mar-2022 06:06

@boneyardthank you for interesting of that topic, I was asking about that some time ago ours server administrators and they said that there is no firewall nor any blocks.

And when I try hit it without VIP on F5 it responding correctly, even when I set as default pool this one with ssl it also responinding correctly.

 

0 Kudos

TTOM
Nimbostratus
Nimbostratus
In response to boneyard

‎21-Mar-2022 03:00

hello @boneyard , regarding requests to backend server, I see now that it sending clear http request....on firts screenshoot you can see that we hitting VIP on 443 afterwards it redirect to backend server on port 4004 and send there http requests but nothing respond because there is SSL. on second screenshot is debugging from proxypass irule, we can see that its looping after "Removed Accept-Encoding header" httpreq.PNGirulelog.PNG

BR

 

 

 

0 Kudos
Copyright © 2023 Khoros, LLC